Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: Oliv <odevaux () gmail com>
Date: Wed, 2 Mar 2005 10:40:25 -0800
Here is the web app : http://www.vulnerabilite.com/cvss_en/ Oliv On Tue, 01 Mar 2005 11:18:14 -0500, Dave Aitel <dave () immunitysec com> wrote:
Brian Erdelyi wrote:Ok, well now that I've read the report, I can comment on it: 1. It turns out "access complexity" means "race conditions or client side vulns"I didn't try to be too narrow with my interpretation of Access Complexity, I think it's a great term. One of my personal beefs is that some people neglect to differentiate between the level of access required to exploit the vulnerability. If authentication is required, is admin/root privileges required to exploit it? To exploit the vuln does it require user interaction? Maybe this is what you mean by "race condition or client side vuln"?I just think it was a bit confusing when presented without supporting text. Maybe you could make it a web app instead of a Excel spreadsheet. :>2. "Report Confidence" as "uncorroborated as "Multiple non-official sources; possibly including independant security companies or research organizations. Then as "Confirmed" as "Vendor has reported/confirmed a problem within it's own product." This is basicallyI think that may be a more intuitive distintion. I don't think it's reversed since it is intended that the vendor confirm it. Personally, I would refer to "Impact Bias" as "Impact Priority".Hmm. I guess my point here is that vendors are very bad places to get your vulnerability information. When we release a WINS overflow, and it works, that means there's 100% chance of an exploitable vulnerability. Microsoft won't acknowledge that until they have a patch, which games the system a bit. When Cisco releases an advisory on BGP saying it's a DoS, that's misleading. Etc. The other thing that wasn't answered for me by the presentations was: What makes this set to metrics more special than other metrics? Is it just buy in from the vendors? Is there some sort of test we can run that will demonstrate it's usefulness over others? -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone?, (continued)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Oliv (Mar 02)
- Re: Vuln scoring system anyone? Tom Parker (Mar 02)
- Re: Vuln scoring system anyone? Jason (Mar 02)
- Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)
- RE: Vuln scoring system anyone? Ben Nagy (Mar 03)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Frank Knobbe (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)